2-3 minutes

What Is the Deal With Passwords Vs. Passwordless Vs. Multi-Factor Authentication (MFA)?

Posted by ​Mauro Gris and Alexi Helligar on March 10, 2020 at 7:17 PM
​Mauro Gris and Alexi Helligar

security cameras


Passwords vs. “Passwordless” vs. Multi-Factor Authentication (MFA)

Passwords are an attraction for attackers and are susceptible to a variety of attacks such as phishing, malware, social engineering, and credential stuffing. Research indicates increasing password complexity sometimes may result in less security, due to the weakest link of the security chain — the human factor. Many people cannot remember long or complex passwords, so they tend to write them down.

“Passwordless” authentication vs. MFA

As companies gradually awaken to the security dangers of relying on easily stolen and shared passwords, alternative security systems have taken the spotlight. There are several alternative authentication methods that do not involve passwords: hardware tokens (an object or device the user has, that verifies their identity); or biometric sensing of a physical feature belonging to a user, like their fingerprint or facial features.

And while these methods all include a different approach to passwordless authentication, they have one thing in common: the user's authentication data is never stored within the system, as a password would be. It is this crucial element that gives passwordless solutions their security advantage.

Passwords are one of three possible authentication factors. Authentication is generally accomplished by validating one or more of three types of factors:

  1. something you know (i.e., a password);

  2. something you have (i.e., a hardware token or smart phone); and

  3. something you are (i.e., a fingerprint).

MFA employs two or more types of authentication factors. In a MFA solution a password may not be one of the factors used. MFA has rapidly gained adoption as a method for increasing the assurance of authentication for consumer and enterprise web and mobile applications.

Regulatory bodies acknowledge the weaknesses and security threats associated with the storage and use of passwords. That is why they are constantly raising the bar for the minimum requirements of passwords (length, complexity, encryption, change cycles). In many cases, regulators require the use of two-factor authentication.

For example, the National Institute of Standards and Technology (NIST) — the body that sets technology standards in the U.S. and acts as a point of reference for many other countries

  • requires that MFA be used in many scenarios, such as for financial institutes. Many web services (such as Google and Facebook) have adopted MFA in order to protect users.

MFA is certainly better than relying on a password for security, but eliminating passwords altogether would be even better. A password-plus-second-factor policy retains the inherent flaws of passwords; users are still required to memorize and safeguard secrets, so the security risk of password reuse still exists, and the costs of maintaining passwords also remain. In fact, according to researchers at Proofpoint, hackers can even use passwords to bypass the second authentication factor altogether. It appears in many cases, the second factor is just a “band-aid” organizations use to strengthen the first line security protocol which is passwords with its attendant weaknesses. Here they are making a big, and potentially expensive, mistake.

Emerging passwordless standards and the increased availability of devices that support passwordless authentication methods are driving increased adoption. Biometrics have become increasingly popular as a “passwordless” method for stronger identification, but other options include hardware tokens, phone as a token, fast IDentity Online and analytics based on passive behaviors.


Benefits of passwordless authentication

    • User Experience: Passwordless authentication means no more user-memorized secrets, streamlining the authentication process. Removing passwords from the picture means users no longer have to devise and remember a password for each of their accounts. Nor do they have to type them in every time they log on.

    • Better Security: User-controlled passwords are a major vulnerability. Users reuse passwords and can share them with others. Passwords, the biggest attack vector, also are vulnerable to credentials stuffing, corporate account takeover (CATO), password spraying, brute force attacks, and more.

    • Reduction in Total Cost of Ownership (TCO): Passwords are expensive; they require constant maintenance from IT staff, who have to update systems when users change their passwords, and they need to be changed on a regular basis. According to industry research, password resets account for as much as half of all help desk calls, which places a tremendous burden on company IT. According to Forrester, the cost of a single password reset averages $70.

    • IT Gains Control and Visibility: Reuse, and sharing are common issues in password-based authentication. With passwordless authentication, IT reclaims its

purpose of having complete visibility over identity and access management. Without passwords, there is nothing to phish, share, or reuse. The user is no longer the wild card in an organization’s access scheme.

Password management software

Because it is still impossible to imagine a world without passwords, how do we protect them?

A password manager is a software application that is used to store and manage passwords that a user has for various online accounts and security features. Password managers help users and managers handle a large number of passwords and account information. They store the login information of the various accounts and automatically enter them into the forms. This helps in the prevention of hacker attacks like keystroke logging and it prevents the need for users to remember multiple passwords.

The login information is encrypted and stored in either the local memory of the user’s system or in cloud storage. Portable password manager applications installed in mobile devices can also be used to manage and remember passwords anywhere and use them on shared systems. The passwords database can be accessed and using a MFA approach that does not require a password.


Click Here To Learn More About Security Auditing Services and Technology Assessment


Like what you're reading?

Subscribe For Our Blog Updates!